Fortinet vulnerability - FG-IR-22-398 / CVE-2022-42475

Fortinet vulnerability - FG-IR-22-398 / CVE-2022-42475

Fortinet vulnerability - FG-IR-22-398 / CVE-2022-42475

This vulnerability was already named in December 2022 - but now it is increasingly being observed that this vulnerability is also being successfully exploited. We would therefore like to emphasise this once again: This vulnerability should be closed very promptly. 

Information about the vulnerability and the attack "in a nutshell"

Vulnerability: A "heap-based buffer overflow in SSLVPNd" is being exploited in affected FortiOS installations. This is a complex attack that is likely to be carried out by experienced attackers/hackers. This attack could primarily target large companies and government and government-related infrastructures 

  • The attack has been discovered several times "in the wild", so the vulnerability is being actively exploited.

  • The attack is tailored to the FortiOS operating system developed and used by the manufacturer Fortinet, with the aim of leveraging "intrusion prevention" (IPS).

By manipulating the IPS, the attackers are able to establish undetected connections to external servers in order to reload and execute malicious code and carry out data leaks. In order to remain undetected, the logging of the affected firewalls is also manipulated.

Is there a way to tell if you have already been affected by the hack?

On FortiOS, you can check for these files:

In the folder "/data/lib":

as well as

  • /var/.sslvpnconfigbk

  • /data/etc/wxd.conf

  • /flash

If individual files are found, this is a clear indication that this Fortigate Firewall is already affected by the hack, as these are files that have never been used in FortiOS.

How can I find these files?

  • Execute the command: # fnsysctl ls -l /data/lib

  • Execute the command: # fnsysctl ls -la /var

  • Executing the command: # fnsysctl ls -l /data/etc

  • Executing the command: # fnsysctl ls -l /

Do I see anything in the log?

I notice several of the following entries in the logging:

Logdesc="Application crashed" and msg="[....] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]"

Another way to check if you are affected

Execute the command: # diagnose debug crashlog read

Several of these entries appear:

  • xxxx: [ Date & Time ] <.....> firmware  [ Firmware version ]

  • xxxx: [ Date & Time ] <.....> application sslvpnd

  • xxxx: [ Date & Time ] <.....> *** signal 11 (Segmentation fault) received ***

Which versions of FortiOS are affected by the vulnerability?

  • FortiOS up to and including version 7.2.2, 7.0.8, 6.4.10, 6.2.11, 6.0.15 and older versions

  • FortiOS-6K7K up to and including version 7.0.7, 6.4.9, 6.2.11, 6.0.14

  • FortiProxy up to and including version 7.2.1, 7.0.7, 2.0.11, 1.2.13, 1.1.6, 1.0.7

How do I protect myself from exploiting the vulnerability?

  • Upgrade FortiOS to at least version 7.2.3

  • Upgrade FortiOS to at least version 7.0.9

  • Upgrade FortiOS to at least version 6.4.11

  • Upgrade FortiOS to at least version 6.2.12

  • Upgrade FortiOS to at least version 6.0.16

  • Upgrade FortiOS-6K7K to at least 7.0.8

  • Upgrade FortiOS-6K7K to at least 6.4.10

  • Upgrade FortiOS-6K7K to at least 6.2.12

  • Upgrade FortiOS-6K7K to at least 6.0.15

  • Upgrade FortiProxy to at least 7.2.2

  • Upgrade FortiProxy to at least 7.0.8

  • Upgrade FortiProxy to at least 2.0.12

Can I detect an attack?

The manufacturer Fortinet has provided the following options:

  1. All binaries are detected by the Fortigates AV engine

  2. An "Outbreak Alert Package" has been created for the FortiAnalyzer, to detect and report connections to known servers

  3. An IPS signature was created to proactively protect against the attack

Is there a workaround?

Yes, we recommend deactivating the SSL VPN. 

What can I do if I am affected?

You can contact us or the manufacturer directly. It is important that you carry out an extended check of the setup. This should be as complete as possible, i.e. taking into account all external and extension units. 

Helpful links: 

An official link to the hack is provided by the manufacturer itself:

https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd

A good explanation and overview can also be found here:

https://thehackernews.com/2023/01/fortios-flaw-exploited-as-zero-day-in.html